About

  • Welcome to the Thales Key Management digital media news centre.

    As companies look to protect their customer data and other sensitive information, encryption is being deployed more widely. Yet if an encryption key is lost then that data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management making the protection, management and secure use of cryptographic keys a fundamental component of modern IT security.

    This Thales media center provides information on international industry issues and trends relating to the general topic of key management. There's a also a Q & A page here which aims to answer some of the frequently asked questions on the subject. Key management affects organizations across all sectors and this site includes information on global best practices, regulation, technology, deployment scenarios and key management strategy.

    Thales leads in the provision of information and communication systems security solutions for government, defence, critical infrastructure, enterprise and the finance industry. Thales’s comprehensive portfolio of security products and services protect electronic information – safeguarding transactions, IT operations and information transfers within highly sensitive and regulated environments.

    Subscribe by email

    Find out more at http://www.thales-esecurity.com/

    Visit our payments site at www.paymentssecurity.com

Contributors

Key Management for Dummies

Resources

May 22, 2012

Harmonising European Audit Standards for Certification Authorities

Ensuring that Certification Authorities (CA), and other trust service providers, operate securely and follow current best practice is essential to the security of modern electronic services.

The European Telecommunications Standards Institute (ETSI), working with the international CA and web browser community, and in line with the emerging European regulatory environment for trust and confidence in electronic transactions, have recently issued a number of standards (follow link and search for Trust Service Provider) for assuring the secure operation of trusted service providers supporting the security of electronic transactions.

Continue reading "Harmonising European Audit Standards for Certification Authorities" »

Posted at 09:15 in Certificate Authority, Encryption |

|

April 25, 2012

Storage encryption still lacking despite enhancements in technology and standards

In the U.S., the state government in Massachusetts requires companies to report when they've lost sensitive information for their employees, customers or other key constituencies.

This week, for the first time, Massachusetts reported back as to what companies have been saying. According to a Boston Globe story, almost half of Massachusetts residents have had their personal information, such as social security and credit card numbers, compromised.

According to the story, Massachusetts companies are further required to encrypt data that is placed on portable devices, but most lost or stolen devices are not encrypted.

Continue reading "Storage encryption still lacking despite enhancements in technology and standards" »

Posted at 09:03 in Data breach notification regulation, Encryption, Key management |

Technorati Tags: , , , ,

|

March 26, 2012

Random or pseudorandom?

If you want to use encryption, you need to use keys. A key is (or rather should be) a random number that can encrypt or decrypt your information. A strong key is strong because the random nature of the chosen number means it could lie anywhere on a virtually endless number line. As readers of this blog will know, once you have a strong key, effective key management is essential to ensure the data it protects remains secure.

A recent study (which I referenced in a previous post) found that a small percentage (0.38%) of over 7 million public keys share a common factor and subsequently can be easily compromised. As Bruce Schneier recognises in his blog post, these 'weak' keys were almost certainly created with a poor random number generator. A poor random number generator does not create 'random' numbers, only 'psuedorandom' numbers i.e. numbers generated by a predictable process. Keys based on pseudorandom numbers are liable to compromise, meaning that data encrypted with such keys are not secure.

Continue reading "Random or pseudorandom?" »

Posted at 09:16 in Encryption, Key management, Standards of due care |

|

March 21, 2012

Mediyes Trojan Shines Spotlight on Mismanaged Signature Keys

Just last week a new example of the consequences of inadequately protected signature keys came to light. As reported in Network World , Kaspersky Lab discovered that a recently distributed Trojan, Mediyes, was digitally signed using a stolen private signature key whose digital certificate was owned by Swiss firm Conpavi AG.

The Network World story notes how digitally signed code is assessed more favorably by anti-virus vendors from a risk perspective, so stealing the key and creating a perfectly valid signature on the code helps further promulgate the nefarious Trojan before it can be detected.

Continue reading "Mediyes Trojan Shines Spotlight on Mismanaged Signature Keys" »

Posted at 09:21 in Encryption, Key management, Standards of due care |

|

February 29, 2012

There’s a new Sheriff in town and his name is KMIP

At this week’s  RSA Conference 2012 in San Francisco – the world’s leading security event – one of the buzz attractions is the leading IT vendors who have come together  to demonstrate KMIP, a new standards-based protocol for key management. Who, or rather what, is KMIP? The Key Management Interoperability Protocol, often simply known by the acronym of KMIP, promises a common specification that allows embedded encryption-enabled applications (clients) to securely interoperate with key management servers that have each implemented the standard.

Driven by OASIS as part of an international consortium, the KMIP Interop, happening live on the RSA expo floor, provides a working snapshot of how this enterprise key management protocol functions in a multi-vendor environment.  In Booth #128, clients from Cryptsoft, IBM, NetApp, and SafeNet communicate securely with key management servers from Cryptsoft, IBM, Quintessence Labs, SafeNet, and Thales. The clients and servers demonstrate the full key management lifecycle including creating, registering, locating, retrieving, deleting, and transferring symmetric and asymmetric keys and certificates between vendor systems. Both the fully ratified KMIP 1.0 OASIS Standard and the KMIP 1.1 Committee Draft specification are being shown.

Continue reading "There’s a new Sheriff in town and his name is KMIP" »

Posted at 16:44 in Encryption |

|

February 22, 2012

No skeleton key – protecting your organisation on the web

Weaknesses in the SSL protocol (the protocol for encrypting information over the internet) or the public certificate authority (CA) ecosystem that underpin it have received a lot of coverage recently and the last couple of weeks have been no exception.  The pervasive nature of SSL and its unique role in securing ecommerce and numerous cloud services makes SSL attractive to security researchers and attackers alike.  However, many of the lessons learnt are in no way specific to SSL and must be applied to other Public Key Infrastructure (PKI) and encryption deployments if we're to avoid handing potential attackers a skeleton key to access our sensitive data or critical infrastructure:

  • Recent research by École Polytechnique Fédérale de Lausanne has reminded us that for encryption or digital signatures to be effective keys must have a strong provenance as well as strong protection for their entire lifecycle.  Keys generated by a software algorithm and without a good source of entropy or randomness can be easy to crack and so are vulnerable to attack.

Continue reading "No skeleton key – protecting your organisation on the web" »

Posted at 12:33 in Certificate Authority, Encryption, IPS, SSL |

|

January 13, 2012

Safer digital identities in 2012?

Sometimes it takes a very public breach for the shockwaves to force an industry to tighten up security. I welcome the news that the Certificate Authority (CA) industry body that initially specified the standard for Extended Validation (EV) certificates has now published requirements (or standards of due care), for the issuance of publically trusted certificates. Certificate authorities that have signed up to the new requirements have 6 months to comply.

Continue reading "Safer digital identities in 2012?" »

Posted at 09:13 in Encryption |

|

October 27, 2011

SSL- moving forward

It's good news that Google have announced their continued expansion of the use of SSL which means that certain Google searches (and the results) will be encrypted. There's already been pressure to turn on encryption at corporate and domestic WiFi hotspots to prevent theft of passwords and other information by sniffers on the local hotspot but it must be remembered that this still only protects communication between the user's computer or phone and WiFi access point. Traffic flowing on the wired network across the various hops and interconnection points that make up the internet to get to websites such as Google is typically unencrypted. The solution is for web site operators to deploy technologies like SSL to provide end to end encryption from the consumer all the way back to their site. It's good to see that https (aka SSL), is now gradually replacing http, even for free services like Google search.

Continue reading "SSL- moving forward" »

Posted at 12:19 in Encryption, End-to-end encryption, SSL |

|

October 24, 2011

EU data protection reform – how will it affect the cloud?

Since the European Commission outlined its overhaul of EU data protection laws in June (see earlier post here), debate has continued about the scope and impact of the reforms, especially in reference to cloud computing.

The draft document is not due out until November but there has been considerable speculation on the details of the Directive, particularly over whether it will shift liability to the cloud provider in the event of a data breach.  

Continue reading "EU data protection reform – how will it affect the cloud?" »

Posted at 13:11 in Cloud computing, Current Affairs, Data breach notification regulation, Encryption |

|

September 13, 2011

Can certificate authorities be trusted?

Following the catastrophic security failures at both DigiNotar and Comodo that led to a single attacker obtaining numerous falsified SSL certificates and  the subsequent large scale misdirection of traffic in Iran, 2011 looks set to be a defining year that may change the landscape in the PKI world for years to come.

While vendors, consultants and regulators have advocated the benefits of PKI and define security practices and standards to ensure the integrity of the infrastructure upon which all e-commerce depends, attacks have typically been theoretical. Now there’s undeniable evidence that the threat is real. And while the recent attacks have (eventually) become public knowledge I cannot help but wonder how many other breaches remain undiscovered or unannounced.

Continue reading "Can certificate authorities be trusted?" »

Posted at 15:08 | | Comments (0)

|

Next »

Key Management Q&A

  • Want to know more about key management? This Q & A might help provide some answers

Key management resources

Categories

Archives

Subscribe to this blog's feed

Press contact